You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Ross Boylan <ro...@biostat.ucsf.edu> on 2009/10/19 20:20:48 UTC
port forwarding questions
My subversion server is running under Apache, and I have clients from
several machines connecting to it simultaneously via ssh.
Currently I have Apache listen on multiple ports, and each client
accesses the server through a different port. Is that necessary?
I did this partly because forward only maps (from the client) do not
seem reliable. That is, in addition to saying that client port 8000
should tunnel to port 80 on the server, I seem to need to say that
remote port 80 needs to be forwarded to local 8000. In my ssh config
file on the client that means I give the server options
LocalForward 8000 localhost:80
RemoteForward 8000 localhost:80
Is there a simpler way?
Thanks.
Ross Boylan
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2409127
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: port forwarding questions
Posted by Jake Stone <ja...@gmail.com>.
Ross Boylan wrote:
> On Mon, 2009-10-19 at 16:57 -0500, Ryan Schmidt wrote:
>
>> On Oct 19, 2009, at 15:20, Ross Boylan wrote:
>>
>>
>>> My subversion server is running under Apache, and I have clients from
>>> several machines connecting to it simultaneously via ssh.
>>>
>>> Currently I have Apache listen on multiple ports, and each client
>>> accesses the server through a different port. Is that necessary?
>>>
>>> I did this partly because forward only maps (from the client) do not
>>> seem reliable. That is, in addition to saying that client port 8000
>>> should tunnel to port 80 on the server, I seem to need to say that
>>> remote port 80 needs to be forwarded to local 8000. In my ssh config
>>> file on the client that means I give the server options
>>> LocalForward 8000 localhost:80
>>> RemoteForward 8000 localhost:80
>>>
>>> Is there a simpler way?
>>>
>> Can't all users just access the same URL on the Apache server?
>>
> That was my question. As I said, the apparent need for a reverse tunnel
> was one factor in doing things separately. I'm not sure if a single
> port would work even with forward tunneling only.
>
>> Why
>> have you set up separate Apache port numbers for each user?
>>
> See above.
>
>> Why are
>> users ssh'ing in to the server and then using the Apache URL, instead
>> of using the Apache URL directly from their own computers?
>>
> Firewall and security issues.
>
>> If
>> encryption is the concern, wouldn't using https be the more natural
>> fit than trying to tunnel over ssh?
>>
> The machine is not directly accessible from outside the firewall, so
> https is not an option.
>
>
>> I have no experience with ssh
>> tunneling, but it sounds like it introduces unnecessary complexity.
>>
>
> BTW, on client machines the server appears to be running on the client,
> accessible by, e.g., http://localhost:8000/svn/....
>
>
> Ross
>
> ------------------------------------------------------
> http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2409150
>
> To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
>
In general, you are on the right track - making people SSH is an easy
way to only expose one port & encrypt the traffic. However, you only
need one SSH port for everyone, as I mentioned in my previous email
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2409173
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: port forwarding questions
Posted by Ross Boylan <ro...@biostat.ucsf.edu>.
On Mon, 2009-10-19 at 16:57 -0500, Ryan Schmidt wrote:
> On Oct 19, 2009, at 15:20, Ross Boylan wrote:
>
> > My subversion server is running under Apache, and I have clients from
> > several machines connecting to it simultaneously via ssh.
> >
> > Currently I have Apache listen on multiple ports, and each client
> > accesses the server through a different port. Is that necessary?
> >
> > I did this partly because forward only maps (from the client) do not
> > seem reliable. That is, in addition to saying that client port 8000
> > should tunnel to port 80 on the server, I seem to need to say that
> > remote port 80 needs to be forwarded to local 8000. In my ssh config
> > file on the client that means I give the server options
> > LocalForward 8000 localhost:80
> > RemoteForward 8000 localhost:80
> >
> > Is there a simpler way?
>
> Can't all users just access the same URL on the Apache server?
That was my question. As I said, the apparent need for a reverse tunnel
was one factor in doing things separately. I'm not sure if a single
port would work even with forward tunneling only.
> Why
> have you set up separate Apache port numbers for each user?
See above.
> Why are
> users ssh'ing in to the server and then using the Apache URL, instead
> of using the Apache URL directly from their own computers?
Firewall and security issues.
> If
> encryption is the concern, wouldn't using https be the more natural
> fit than trying to tunnel over ssh?
The machine is not directly accessible from outside the firewall, so
https is not an option.
> I have no experience with ssh
> tunneling, but it sounds like it introduces unnecessary complexity.
BTW, on client machines the server appears to be running on the client,
accessible by, e.g., http://localhost:8000/svn/....
>
Ross
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2409150
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: port forwarding questions
Posted by Ryan Schmidt <su...@ryandesign.com>.
On Oct 19, 2009, at 15:20, Ross Boylan wrote:
> My subversion server is running under Apache, and I have clients from
> several machines connecting to it simultaneously via ssh.
>
> Currently I have Apache listen on multiple ports, and each client
> accesses the server through a different port. Is that necessary?
>
> I did this partly because forward only maps (from the client) do not
> seem reliable. That is, in addition to saying that client port 8000
> should tunnel to port 80 on the server, I seem to need to say that
> remote port 80 needs to be forwarded to local 8000. In my ssh config
> file on the client that means I give the server options
> LocalForward 8000 localhost:80
> RemoteForward 8000 localhost:80
>
> Is there a simpler way?
Can't all users just access the same URL on the Apache server? Why
have you set up separate Apache port numbers for each user? Why are
users ssh'ing in to the server and then using the Apache URL, instead
of using the Apache URL directly from their own computers? If
encryption is the concern, wouldn't using https be the more natural
fit than trying to tunnel over ssh? I have no experience with ssh
tunneling, but it sounds like it introduces unnecessary complexity.
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2409147
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: port forwarding questions
Posted by Ross Boylan <ro...@biostat.ucsf.edu>.
On Tue, 2009-10-20 at 12:26 +0200, Dag-Erling Smørgrav wrote:
> Ross Boylan <ro...@biostat.ucsf.edu> writes:
> > My subversion server is running under Apache, and I have clients from
> > several machines connecting to it simultaneously via ssh. [lots of
> > complicated stuff elided]. Is there a simpler way?
>
> Why not just use svn+ssh?
I'll keep that in mind for my next client, which will be Windows XP; the
others have all been Linux. I've already got apache running, so it's
not a big deal to use it.
The docs seem to imply that multiple tunneled svnserve's can run at
once; is that right? Is it safe to run them while also running the
Apache interface?
Is there a permission problem? The 1.5 manual says "This mode [svn+ssh]
assumes that a remote-service program such as rsh or ssh has
successfully authenticated a user and is now invoking a private svnserve
process as that user." That sounds as if the svn repository needs to be
writeable (assuming commits) by the user. Currently my system isn't
setup that way. I could enable acess, though that would also permit
file:// based access, which I gather is not a good idea when there are
multiple clients.
Ross
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2409490
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: port forwarding questions
Posted by Dag-Erling Smørgrav <de...@des.no>.
Ross Boylan <ro...@biostat.ucsf.edu> writes:
> My subversion server is running under Apache, and I have clients from
> several machines connecting to it simultaneously via ssh. [lots of
> complicated stuff elided]. Is there a simpler way?
Why not just use svn+ssh?
DES
--
Dag-Erling Smørgrav - des@des.no
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2409327
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: port forwarding questions
Posted by Jake Stone <ja...@gmail.com>.
Ross Boylan wrote:
> On Mon, 2009-10-19 at 15:27 -0500, Jake Stone wrote:
>
>> I presume your Apache machine ports are not accessible without SSH, due
>> to firewall, router, or security?
>> (If you want Apache to be publically accessible, you need port-forwarding.)
>>
> Correct.
>
>> If you want to keep Apache accessible via SSH only, you can have it
>> listen on port 80 as expected. Then, in user's SSH sessions, re-direct
>> the remote port 80 to or localhost:PORT. Then they can access your site
>> by browsing to http://127.0.0.1:PORT
>>
>> This SSH port-tunneling is done with the SSH client, not apache;
>> configure apache as if there were no SSHing involved, then instruct
>> clients to SSH in correctly.
>>
> But can simultaneous clients ssh in to the same port?
> Ross
>
>> Ross Boylan wrote:
>>
>>> My subversion server is running under Apache, and I have clients from
>>> several machines connecting to it simultaneously via ssh.
>>>
>>> Currently I have Apache listen on multiple ports, and each client
>>> accesses the server through a different port. Is that necessary?
>>>
>>> I did this partly because forward only maps (from the client) do not
>>> seem reliable. That is, in addition to saying that client port 8000
>>> should tunnel to port 80 on the server, I seem to need to say that
>>> remote port 80 needs to be forwarded to local 8000. In my ssh config
>>> file on the client that means I give the server options
>>> LocalForward 8000 localhost:80
>>> RemoteForward 8000 localhost:80
>>>
>>> Is there a simpler way?
>>>
>>> Thanks.
>>> Ross Boylan
>>>
>>> ------------------------------------------------------
>>> http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2409127
>>>
>>> To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
>>>
>>>
>
>
Yes! Multiple clients can connect on the same port on SSH, or indeed
most any internet-enabled service. This is in the same manner such that
everyone can connect to Apache on port 80 if it were not firewalled. A
computer uses virtual ports to decide which application is listening to
which traffic. Imagine if the Google servers needed a separate port for
every single user...
If you'd like to learn more about networking, I'd highly recommend the
book "TCP/IP in 24 hours" by Joe Casad, which is a dry but extensive
look at the primary aspects of networking. It helped me greatly when
trying to understand various VPN setups and other server work.
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2409179
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].